From: John Wong (johnwk@unimelb.edu.au)
Date: Sat Nov 27 2004 - 11:19:58 GMT-3
Nico,
You're right. The sequence does matter. If you have the chance
to try it out, you'll see the TCP packets getting dropped. So,
no suprises here. The "deny ip any any" has to go after the
evaluate statement.
Cheers.
Nico van Niekerk wrote:
> Hi,
>
>
>
> Does a reflexive acl stop processing when a match is made?
>
> If so, doesn't ip include tcp as well when matching "ip any any"?
>
> Should the evaluate statement in OUT_FILTER not be before the deny ip any
> any?
>
>
>
>
>
> ip access-list extended IN_FILTER
>
> permit tcp any any reflect MIRROR
>
>
>
> ip access-list extended OUT_FILTER
>
> permit tcp any any eq bgp
>
> permit tcp any eq bgp any
>
> permit pim any any
>
> permit icmp any any
>
> deny ip any any
>
> evaluate MIRROR
>
>
>
> Strange how you think you understand something only to find out there's a
> lot you're not sure about.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:50 GMT-3